Exchange Server Quarterly Servicing updates, changes, zero day vulnerability fixes released

Yesterday we released Exchange Server quarterly servicing Cumulative Updates (for Exchange 2013/2016/2019) and Rollup Update (for Exchange 2010) for all supported versions of Exchange Server.

Few highlights were,

  • These updates have the fixes to mitigate the zero day and related vulnerabilities.
  • An architectural change to EWS Push notification authentication – this change addresses the EWS Vulnerability. 
  • KB4490060 outlines the details of the changes made.
  • Customers who rely upon Push Notifications, should understand the important changes made.
  • EWS Pull and Streaming Notifications functionality are unchanged by today’s updates.
  • The change in Push Notification authentication is a permanent change to the product and necessary to protect the security of an Exchange Server.

The Exchange team has determined a change in the Active Directory rights granted to Exchange Servers using the default Shared Permissions Model is in order.

  • Changes in the latest cumulative updates, described in KB4490059, reduce the scope of objects where Exchange is able to write security descriptors in the directory.

Exchange Server 2010, 2013, 2016 and 2019 all receive an update package.

Learnt about Shared Permissions vs Split permissions model

For more info, please refer the detailed EHLO blog post and its guidance.